Oregon governor signs data breach law

Oregon Democratic Gov. Kate Brown has signed a measure into law that would toughen the state’s consumer data breach laws.

The legislation, which is set to take effect in June, would require that residents be notified within 45 days after a data breach has been discovered, unless doing so would impede a law enforcement investigation.

The measure also would prohibit credit reporting agencies from charging a fee to residents who want to freeze or unfreeze their credit reports.

At least 29 states are taking up consumer security breach notification bills this year, according to the National Conference of State Legislatures. In more than a dozen states, measures would require residents to be notified within a given time, from 48 hours up to 60 days.

And at least 100 bills have been filed in more than half the states to lower or eliminate credit report freeze fees charged to consumers, according to the Consumer Data Industry Association, a trade group representing consumer reporting agencies.

Earlier this month, Washington state Gov. Jay Inslee, a Democrat, signed a no-fee credit freeze bill into law.

Forty-eight states and Washington, D.C., have security breach notification laws, most of which apply to the private sector and to government. But the laws vary considerably, from when affected victims must be notified to what is considered personal information.

Last year, there were a record 1,579 data breaches in the United States, a nearly 45 percent hike over the previous year, according to the Identity Theft Resource Center, a nonprofit that helps victims of identity theft and promotes public awareness.